NEW Checklist for Healthcare Organizations Considering the use of an AI Scribe

Privacy Commissioner of Canada to investigate cybersecurity breach at WestJet

PowerSchool commits to strengthened breach measures following engagement with the Privacy Commissioner of Canada

Sask. information and privacy commissioner brings a focus on cyber security, AI

Guardrails for Police Use of Investigative Genetic Genealogy in Ontario

Access to Information Act, Protection of Privacy Act implemented in Alberta

Commissioner Dufresne launches exploratory consultation on children’s privacy code

Survey conducted by OPC found that most parents worry about their children’s online privacy

Information and Privacy Commissioner of Ontario and The French Language Services Commissioner discuss your rights of access to information and services in French June 4, 2025

Ontario IPC releases a new independent research report on emerging technology- Emerging Uses of Neurotechnology.

Saskatchewan IPC Tables 2018-2019 Annual Report

Saskatchewan IPC Tables 2018-2019 Annual Report

Saskatchewan Information and Privacy Commissioner, Ronald J. Kruzeniski, Q.C., has submitted his office’s 2018-2019 Annual Report to the Legislative Assembly. In his Report, the Commissioner stated:

“The rest of this Report and the next five years of my term will really be focused on modernizing this legislation to take into account the database/internet world we now live in.”

In this year’s Report, he is calling for modernization of our access and privacy legislation to ensure new threats to privacy are sufficiently addressed and citizens are able to access public records with greater ease.  Some of those threats and process improvements identified in the Report are as follows:

  • Trustees to require express consent before using recording or video devices to collect personal health information;
  • Clarify that an access to information request may be made on the prescribed form, in writing or electronically;
  • Mandate trustees when using electronic means to collect, use or disclose personal health information to create, maintain and regularly audit records of user activity of those systems;
  • Explicitly state that access to manuals, policies, guidelines or procedures, if not on a government institution’s or local authority’s website, is provided free of charge;
  • Require all personal health information be stored in Canada;
  • Provide the ability of the Commissioner to comment on the privacy implications of new technology;
  • Include a section making access easier for those with disabilities; and
  • Streamline the fee structure and provide that no citizen pays if the costs are under $200.

Was this page helpful?

Best practices when using USB drives

When thinking about this topic I decided to research how big of a USB drive I could actually purchase. I was surprised to see you can purchase one that stores 2 terabytes (TB) of data. Just think about that – something the size of a car key can 2 TB of data. With the ability to store that much data in a very small and portable way, it is important to be super vigilant when using memory sticks.

In January 2018, the IPC developed a resource – Helpful Tips: Mobile Device Security. This resource offers many tips and considerations that are helpful when using memory sticks, including administrative safeguards, technical safeguards and physical safeguards. However, here is a quick list of some things to keep in mind when using USB Drives:

  • Encryption/password protected devices: Only purchase USB drives that have encryption or password protection functionality.
  • Strong passwords: If you have a need to store personal information (pi), personal health information (phi) or other forms of sensitive or confidential information on a USB drive, be sure to have it locked by a strong password.
  • De-identify: When storing pi/phi on a USB, de-identify the information wherever possible.
  • Delete data: Immediately delete the data from the USB once it is no longer needed.
  • Unattended USBs: Do not leave USB’s in vehicles or unattended in public. If absolutely necessary, lock it in the trunk or glove box where it would be out of site. When not in use in your office, be sure to lock it up.
  • Access on a Need-to-Know Basis: When storing data on a device, access to that data should be on a need-to-know basis.
  • Lost or stolen USBs: Report lost or stolen USB’s immediately to your supervisor and the Privacy Officer.
  • Disposal: At the end of its lifecycle, be sure that all the data has been wiped from the USB. Once that is done, safely dispose of or destroy the USB before disposal.

For more applicable information on USB drive use, please see the following resources:

 

Was this page helpful?

Search Checklist

One government institution that we work with often has developed a search checklist “Responsive Records Search Log”, which has really assisted them and my office knowing that a thorough search was made. I asked permission and permission was given to take their search checklist and modify it so that it might be applicable to any government institution or local authority.

I encourage Access and Privacy coordinators to take a look at the sample search checklist and decide whether such a search checklist would help in ensuring thorough searches. Certainly, one should feel free to adapt the search checklist to the circumstances in one’s organization.

The search checklist could be distributed by the Access and Privacy coordinator to those that he or she has identified as part of his or her search strategy. Along with the search checklist, the Access and Privacy coordinator should give the recipient a timeline to complete the search and indicate whether he or she is only seeking a representative sample for building a fee estimate or a full search for responsive records.

I believe the search checklist is helpful when multiple employees in an organization have to do searches. I believe it assists the Access and Privacy coordinator in determining whether the organization has done a thorough search.

Please take a look at the sample search checklist on our website here. Of course if you have any suggests to improve this search checklist, please email my office.

Was this page helpful?

News Release for Review Report 204-2018 Northern Village of Pinehouse

Saskatchewan Information and Privacy Commissioner, Ronald J. Kruzeniski Q.C., has issued his Review Report 204-2018 involving the Northern Village of Pinehouse. Kruzeniski stated:

My office will have now issued 13 Review Reports between 2013 and 2018 involving the Village. 12 of these reports deal with section 7 responses not being provided, delays in providing it or responses being inadequate. In addition, the Village did not cooperate with requests by my office in 10 of these cases.

And he further stated:

My office is concerned that the Mayor and the Village Administrator are obstructing the application of LA FOIP and believe that no town or village should be able to flagrantly disregard or obstruct the operation of a provincial statute. … The Minister of Government Relations has the power to direct an inspection or inquiry. I am recommending that the Minister direct an inspection or inquiry into the Village’s obstruction of LA FOIP.

Was this page helpful?

Canada’s access to information and privacy guardians call for privacy regulation and oversight of political parties

In a joint resolution, Canada’s Information and Privacy Ombudspersons and Commissioners have called on governments to pass legislation requiring political parties to comply with globally recognized privacy principles, to provide Canadians with access to the personal information they hold about them, and to provide for independent oversight to verify and enforce privacy compliance.

Recent events have illuminated how political parties collect and use personal information to target individuals in specific and unique ways for political gain. Digital tools amass extensive amounts of personal information from diverse sources, frequently without the knowledge or consent of the individual.  These increasingly sophisticated big data practices raise new privacy and ethical concerns and the need for greater transparency is evident.

Further, Privacy Commissioner of Canada Daniel Therrien noted: “Recent investigations in various countries have revealed that political parties are gathering significant amounts of personal information on voters as they adopt new targeting techniques. Information about our political views is highly sensitive and it’s clearly unacceptable that federal and provincial political parties are not subject to privacy laws. The federal government’s response to public concern about how personal information is being used in the political process – Bill C-76 – adds nothing of substance in terms of privacy protection. It’s time to act to better protect the rights of Canadians.”

“Political parties access and use sensitive personal information of nearly all Canadians, but only in British Columbia are they subject to privacy legislation. These standards should be applied across the country so all Canadians have the same privacy protections,” says Michael McEvoy, Information and Privacy Commissioner for British Columbia.

The joint resolution, Securing Trust and Privacy in Canada’s Electoral Process, was agreed to at the annual meeting of federal, provincial, territorial Information and Privacy Ombudspersons and Commissioners. The full text is available on their respective websites.

Was this page helpful?

Sask. IPC Tables 2017-2018 Annual Report

Saskatchewan Information and Privacy Commissioner, Ronald J. Kruzeniski, Q.C., has submitted his office’s 2017-2018 Annual Report to the Legislative Assembly.  Kruzeniski stated:

“It is wise to take steps to reduce the risks of breaches of privacy.”

In this year’s Report, he noted his office conducted 117 privacy breach investigations including issuing a number of reports where a person, the ex-partner, snoops on the new spouse or partner. As such, he urged organizations to take steps to reduce the risk of privacy breaches and provided advice as to how to achieve this end. Some recommended actions included:

  • Consider conducting privacy impact assessments;
  • Ensure new employees get privacy training;
  • Insist on the use of strong passwords;
  • Use two smart phones: one for work and one for personal use;
  • Have two email accounts: one for work and one for personal use;
  • Back-up your data;
  • Develop an audit plan;
  • Discipline snoopers; and
  • Build a culture of privacy.

Was this page helpful?

Technology and function creep

“I love technology,

But not as much as you, you see.

But I still love technology.

Always and forever.”

  • Kip from the movie Napoleon Dynamite

Technology takes on a central role in most, if not all, workplaces. It is difficult to imagine a workplace without computers. Further, cloud computing is enabling workplaces to organize themselves far more dynamically while completing tasks efficiently. With all of its benefits, we must be cognizant of technology’s impact upon employee privacy.

“Function creep” occurs when information is used for a purpose that is not the original specified purpose. For example, a workplace may install a security system that requires employees to sign-in or sign-out of the workplace. The purpose of the security system is to prevent unauthorized access to a particular workplace. However, organizations may end up using this information about individual employees to track employee attendance. This could be a privacy breach if the organization has not fulfilled the collections requirements in The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP). For example, if the organization is collecting the information to track employee attendance without informing employees of the purpose for which the information is being collected pursuant to subsection 26(2) of FOIP or subsection 25(2) of LA FOIP, then this would be a privacy breach.

Function creep is often unintended. However, this is not an excuse for organizations to breach employee privacy. Below are some suggestions that organizations could undertake to avoid or stop function creep:

  • Have at least one employee designated as the privacy officer.
  • Have a process in place so that employees (or members of the public) can raise concerns and that those concerns are investigated.
  • Since function creep is often unintended, organizations who learn that technologies or processes that are committing function creep should be open to adjusting so that the function creep is discontinued.
  • Regularly undertake privacy impact assessments (PIA) so they can comprehensively analyze and evaluate how technology impacts privacy. A PIA is a process that should be undertaken not only by the privacy officer, but managers and employees implementing new technology, processes, projects, and/or programs. PIAs require teamwork!

For more information, check out my office’s resource called Technology’s Impact Upon Employee Privacy.

 

Was this page helpful?

Amendments to FOIP and LA FOIP Proclaimed

The government of Saskatchewan has proclaimed Bill No. 30, An Act to amend The Freedom of Information and Protection of Privacy Act and Bill No. 31, An Act to amend The Local Authority Freedom of Information and Protection of Privacy Act effective January 1, 2018.  My office made proposals for the amendments of these Acts in June 2015.  I am most pleased these amendments were passed by the Legislative Assembly in May 2017 and now proclaimed.

The highlights of the amendments to both Acts are:

  • Obligations of government institutions and local authorities to provide breach notification to affected individuals if it is believed the incident creates a real risk of significant harm;
  • The Duty to Protect is now explicit for both government institutions and local authorities;
  • The Duty to Assist those requesting information is now provided for in the legislation;
  • Police services are now a local authority for purposes of the legislation;
  • There is now an obligation of government institutions and local authorities to enter into written agreements with information management service providers (IMSP);
  • MLAs and Ministers’ offices are obliged to protect personal information in accordance with the legislation;
  • The manner of access to records includes giving access in electronic form;
  • The offence provisions have been updated and expanded;
  • Government institutions and local authorities must take reasonable steps to post manuals, policies, guidelines and procedures to its websites; and
  • Categories of records are to be established that can be provided to the public without an application.

In addition, the Regulations to both Acts have been amended.  Some highlights of the Regulation amendments are:

  • Generally now fees do not have to be charged if under $100 or if the records involve the applicant’s personal information;
  • If records are provided to an applicant via a portable storage device (PSD), the cost of the electronic copies is the price of the PSD;
  • Consent requirements are expanded; and
  • Clarification is provided on what elements must be included in written agreements with IMSPs.

The amendments to the Acts and the Regulations are the most significent amendments to this legislation since its introduction in 1992 and 1993.

My office will be working on updating its resources on its website to reflect the changes that are in the amendments.

For copies of amendments to FOIP and LA FOIP, go to www.oipc.sk.ca under the Legislation tab.  The amendments to the Regulations will soon be available on my office’s website and the Queen’s printer website.

Was this page helpful?

Privacy versus Confidentiality

Privacy and confidentiality are two concepts often mistaken to be the same thing.

In terms of information, privacy is the right of an individual to have some control over how his or her personal information (or personal health information) is collected, used, and/or disclosed. In Saskatchewan, individuals’ privacy is maintained through FOIP, LA FOIP and HIPA. These three laws establish individuals’ right to privacy by setting out how government institutions, local authorities, and trustees are to collect, use, and/or disclose personal information or personal health information.

Confidentiality, on the other hand, is a far slimmer concept than privacy. Confidentiality is the duty to ensure information is kept secret only to the extent possible.

It is important to distinguish between these two concepts. This is because organizations often require employees to sign confidentiality agreements (i.e., keep information secret) but then offer very little or no privacy training.  There are certainly circumstances in which employees of government institutions, local authorities, and trustee organizations need to legitimately share information in order for their programs to function. However, sharing information may seem contrary to what confidentiality agreements require of them.

Privacy Officers play a vital role in ensuring that government institutions, local authorities, and trustee organizations are in compliance with FOIP, LA FOIP, and/or HIPA.  Privacy Officers should be experts in these three laws who can advise their organizations when it is okay to collect, use, and/or disclose personal information (or personal health information).

For fun, below are two haikus to help explain privacy and confidentiality

Privacy

Collecting, using,

disclosing and safeguarding,

personal info.

 

Confidentiality

Keep info secret.

Do not tell anybody.

Or else you lose trust.

Was this page helpful?

Closing a Practice

Back in 2011, this office issued an Advisory to address concerns we had at the time regarding abandoned patient records. That resource was titled, Advisory for Saskatchewan Trustees for Record Disposition. This office now again is looking to provide some advice to trustees that are winding up his or her practice as additional cases of abandoned patient records come to our attention.

In one recent case, a physician left the country leaving behind both paper and digital patient records in two different locations. Section 22 of The Health Information Protection Act (HIPA) requires trustees that are closing up his or her practice to transfer custody/control of patient records to another trustee or an Information Management Service Provider (IMSP) that is a designated archive.  This physician did not do this. Instead an IMSP was left with physical possession of patient records.  The full Investigation Report 214-2017 is available on our website here.

So what needs to be done in order to wrap up a practice without leaving loose ends? The Saskatchewan College of Physicians and Surgeons has a helpful resource, Leaving Practice – A guide for physicians and surgeons. In addition to HIPA obligations, this resource addresses other issues such as continuity of care and discharging patients. The Ontario Information and Privacy Commissioner published Succession Planning to Prevent Abandoned Records which considers obligations under its Personal Health Information Protection Act, 2004. HIPA is of course similar but not identical and applies to a wide assortment of trustees (i.e. affiliates, Saskatchewan Health Authority) with custody or control of personal health information, not just physicians.

In terms of HIPA compliance, some of the most important steps to take before closing a practice are as follows:

  1. If you have not done so already, create an inventory of all records (paper and digital) in your custody or control;
  2. If you do not have one, create a record retention/disposition schedule for all records;
  3. Custody or control of patient records must be clearly established before taking action;
  4. Before transferring patient records, enter into a written agreement with the successor trustee or IMSP (that is a designated archive, see HIPA Regs s. 4);
  5. Ensure that any multi-function devices that may contain personal health information are sufficiently wiped/erased or hard-drives are destroyed;
  6. Provide advance, adequate notice (letters to patients, notice on doors, voicemail message and details in the newspaper and/or online) to patients and others;
  7. Securely transfer patient records; and
  8. Leave no records behind including securely destroying any records that are up for disposition.

If a member of a regulated profession, the trustee can also seek advice from its health professional body which also happens to be prescribed as designated archives in the HIPA Regs. Do you have more questions? If so, let us know.

Was this page helpful?

Google Translate Disclaimer

Translations on the IPC Website are performed by Google Translate. Please note that not all text may be translated accurately or be translated at all. The IPC is not responsible for incorrect or inaccurate translations. The IPC will not be held responsible for any damage or issues that may result from using Google Translate.

For more information, read our full disclaimer.